b'                                         TVA RESTRICTED INFORMATION\n\n\n\n\nMemorandum from the Office of the Inspector General\n\n\n\nDecember 13, 2012\n\nDavid G. Jolley, WT 2D-K\n\nREQUEST FOR FINAL ACTION \xe2\x80\x93 EVALUATION 2012-14506 \xe2\x80\x93 REVIEW OF PHYSICAL\nASSAULTS RISK\n\n\n\nAs part of a series of reviews to evaluate the Tennessee Valley Authority\xe2\x80\x99s (TVA) actions\nto address key risks, we evaluated TVA\xe2\x80\x99s physical assaults risk. Physical assaults risk\nwas identified in the 2011 Enterprise Risk Management Program. The results of our\nreview are shown in the table below.\n\n                                          Risk: Physical Assaults Risk\n       Risk Information                       Mitigations                                 Our Assessment\n    Definition: Physical             \xef\x82\xb7     A comprehensive physical            The mitigations are generally\n    assaults on TVA                        security plan (ongoing).            designed appropriately to address\n    employees, visitors, and                                                   the risk. Two of the actions have\n    the public on or about           \xef\x82\xb7     A Security Awareness                been implemented and two have\n    TVA property.                          Program (complete).                 not. TVA identified one design gap.\n                                     \xef\x82\xb7     Communication,                      Workplace-violence incidents were\n    Probability: Virtually                 infrastructure, and                 not always reported to Security and\n    certain.                               equipment (ongoing).                Emergency Management. This\n                                                                               prevents TVA from recognizing\n    Consequences: Minor.             \xef\x82\xb7     Security from Murray                emerging patterns and identifying\n                                           Guard Services                      possible training that could lower\n    Risk Owner: Vice                       (complete).                         the risk.\n    President of Security and\n    Emergency Management.\n\n    Recommendation:\n    Create a procedure detailing workplace-violence incidents that should be reported to TVA Security\n    and Emergency Management along with a uniform way of submitting that information.\n\n\nTVA management agreed with our findings and recommendation.\n\nBACKGROUND\n\nIn 2011, physical assaults risk was identified by TVA\xe2\x80\x99s Enterprise Risk Management1\n(ERM) program. According to TVA, ERM is a systematic process to facilitate business\nunit identification of risk, consistency in their analysis and communication throughout TVA\n1\n      The Vice President, Security and Emergency Management, is the risk owner for Physical Assaults.\n        WARNING: ThIs document is FOR OFFICIAL USE ONLY. It is to be controlled, stored, handled, transmitted,\n         distributed, and disposed of in accordance with TVA policy relating to Information Security. This information\n                 is not to be further distributed without prior approval of the Inspector General or his designee.\n\n                                         TVA RESTRICTED INFORMATION\n\x0cDavid G. Jolley\nPage 2\nDecember 13, 2012\n\n\n\nsuch that a company can determine whether or not the risks should be avoided, accepted,\nor mitigated with a risk management plan. TVA also stated that ERM is an ongoing and\nevolving process that protects the value of the enterprise and realizes opportunities for the\nstakeholders by promoting the efficient and effective management of risk.\n\nPhysical assaults risk was one of the sub-risks listed on the July 13, 2011, updated risk\nmap under the TVA employees Safety Enterprise level risk. The risk covers assaults,\nvisitors, and the public on or about TVA property. Physical assaults taking place on or\nabout TVA property could impact TVA\xe2\x80\x99s ability to provide a safe environment for its\nemployees, its liability to employees, and damage to its reputation. According to TVA\xe2\x80\x99s\nrisk map,2 physical assaults risk\xe2\x80\x99s probability was \xe2\x80\x9cvirtually certain,\xe2\x80\x9d and the impact of such\nrisk was considered \xe2\x80\x9cminor.\xe2\x80\x9d\n\nSince fiscal year (FY) 2011, ERM has evolved, and physical assaults risk has been\nreplaced with workplace violence as shown in the fourth quarter of the 2011 ERM draft.3\nThe \xe2\x80\x9cPhysical Security Performance 2009: Metrics, Benchmarks, and ROI\xe2\x80\x9d study\nperformed by the Institute of Management and Administration stated companies reported\none significant workplace-violence incident per 1,538 employees. TVA\xe2\x80\x99s total population\nincluding contractors is approximately 26,000. Therefore, TVA could be expected to have\nas many as 16.9 incidents per year. Workplace violence can be any act of physical\nviolence, harassment, intimidation, or other threatening, disruptive behavior that occurs at\nthe work site. The graph below shows as of July 11, 2012, TVA has had 12 workplace-\nviolence incidents this FY.\n\n                  Number of Workplace Violence Investigations of Incidents\n                         Trending October 1, 2011 \xe2\x80\x93 July 11, 2012\n\n\n\n\n2\n    A risk map is a two-dimensional, graphical tool used to illustrate point estimates of risk.\n3\n    Each mention of the ERM throughout this report refers to the draft version.\n                                     TVA RESTRICTED INFORMATION\n\x0cDavid G. Jolley\nPage 3\nDecember 13, 2012\n\n\n\nAccording to the Federal Bureau of Investigation, specialists have come to the conclusion\nthat workplace violence falls into four broad categories:\n\n1. Violent acts by criminals who have no other connection with the workplace but enter to\n   commit robbery or another crime.\n\n2. Violence directed at employees by customers, clients, patients, students, inmates, or\n   to whomever an organization provides services.\n\n3. Violence against coworkers, supervisors, or managers by a present or former\n   employee.\n\n4. Violence committed in the workplace by someone who does not work there but has a\n   personal relationship with an employee, e.g., an abusive or domestic partner.\n\nIn 2008, the U.S. Bureau of Labor Statistics reported more than two million American\nworkers experienced some instance of workplace violence each year. Every day there\nare an average of 2 people killed and 87 injured as a result of a workplace-violence\nincident. The cost to American businesses from workplace violence is estimated at $120\nbillion a year. The average jury award, in subsequent liability cases where the employer\nfailed to take proactive, preventative measures under the 1996 Occupational Safety and\nHealth Administration guidelines, is $3.1 million per person, per incident.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nAs part of a series of reviews designed to evaluate TVA\xe2\x80\x99s actions in addressing key risk,\nwe initiated an evaluation of TVA\xe2\x80\x99s physical assaults risk. The objective of our review was\nto evaluate TVA employee, contractor, and visitor physical assaults risk identifying\nopportunities to improve mitigation strategies and assess whether mitigation strategies are\ndesigned appropriately to address the identified risk. The scope of the evaluation included\nphysical assaults risks identified to date and mitigation plans for those risks. We\nconsidered ongoing activities and efforts to mitigate physical assaults risks conducted in\nFYs 2010 and 2011. To achieve our objective, we:\n\n\xef\x82\xb7   Identified and reviewed applicable policies related to physical assaults risks.\n\xef\x82\xb7   Reviewed law enforcement information related to workplace violence.\n\xef\x82\xb7   Interviewed applicable TVA personnel including risk owners and program managers.\n\nThis review was conducted in accordance with the Quality Standards for Inspection and\nEvaluation.\n\nFINDINGS\n\nOur review found that TVA has implemented or is implementing actions to reduce the risk\nof physical assaults on TVA employees, contractors, and visitors. The mitigations were\ngenerally designed appropriately to address the risk. However, TVA identified that\nworkplace-violence incidents are not always reported to TVA Security and Emergency\n\n                              TVA RESTRICTED INFORMATION\n\x0cDavid G. Jolley\nPage 4\nDecember 13, 2012\n\n\n\nManagement. This prevents TVA from recognizing emerging patterns and identifying\npossible training that could lower the risk of similar future incidents.\n\nPhysical assaults risk were seen on TVA\xe2\x80\x99s 2010 ERM with a probability of occurrence\nrated as \xe2\x80\x9cvirtually certain\xe2\x80\x9d and consequences rated as \xe2\x80\x9cminor.\xe2\x80\x9d4 Three of the five action\nitems for TVA\xe2\x80\x99s 2010 mitigation strategy for physical assaults were unapproved and\nunfunded; the risk reappeared on TVA\xe2\x80\x99s 2011 ERM. In 2011, TVA developed a mitigation\nstrategy in order to reduce the risk that included (1) creating a comprehensive physical\nsecurity plan, (2) expanding employee education, (3) replacing communication\ninfrastructure and equipment, and (4) implementing a guard program.\n\nComprehensive Security Plan\nThe comprehensive security plan is an ongoing project that includes a risk assessment of\nfacilities, project planning for mitigation to include budget and a prioritized implementation\nplan, and life-cycle replacement plans. Currently, there are five employees assigned to\nassess the risk of TVA facilities that will identify gaps in physical security. These\nassessments ensure the correct amount of physical security is in place. The project\nplanning for mitigation and prioritized implementation plan has been completed and is\nawaiting budget approval. The life-cycle replacement plan is currently under development\nand is expected to be completed in FY 2013.\n\nExpanding Employee Education\nTVA also planned to reduce the physical assaults risk by expanding employee education\nthrough the Security Awareness Program. The Security Awareness Program had an initial\ncompletion date of August 31, 2012. However, due to reorganization within TVA, the\ncompletion date was changed to September 2012. TVA successfully reached the\ncompletion-date goal by releasing a new awareness program on September 11, 2012.\nAccording to the Program Manager, Security Awareness and Development, the goal of the\nSecurity Awareness Program is to make people more aware of security and to take\nownership of security. TVA personnel stated that with the completion of the Security\nAwareness Program:\n\n\xef\x82\xb7    Potential victims may gain knowledge to prevent an incident from occurring.\n\xef\x82\xb7    Potential victims will know what actions to take in the event an incident does occur.\n\xef\x82\xb7    People who consider committing a violent act or other crime may refrain because they\n     will be aware of the consequences.\n\nReplacing Communication Infrastructure\nThe replacement of communication infrastructure and equipment was scheduled to be\ncompleted at the end of FY 2013. The replacement of communication infrastructure and\nequipment has been rescoped because TVA Police officers are no longer used. However,\nthe rescoping did not impact the expected completion date. According to TVA personnel,\nthe implementation of the replacement of communication and infrastructure equipment will\nbe complete by September 30, 2013. TVA personnel stated communication\n\n4\n    The rankings of \xe2\x80\x9cvirtually certain\xe2\x80\x9d and \xe2\x80\x9cminor\xe2\x80\x9d from the 2011 ERM draft were applied to the 2010 ERM draft\n    due to the 2010 ERM axis not being labeled.\n                                   TVA RESTRICTED INFORMATION\n\x0cDavid G. Jolley\nPage 5\nDecember 13, 2012\n\n\n\ninfrastructure and equipment may not reduce physical assaults, but it will help ensure\nthere was an efficient response to an assault.\n\nImplementing a Guard Program\nIn February 2012, TVA announced the end of uniformed patrols. TVA contracted with\nMurray Guard Services to provide security. From March 2012 to May 2012, Murray Guard\nServices began providing security at TVA facilities. According to TVA personnel, prior to\nthe implementation of the guard program, there was not any uniformity across TVA plants.\nThe Vice President, TVA Police and Physical Security,5 stated that by focusing more of\nTVA\xe2\x80\x99s non-nuclear security resources on its critical infrastructure, TVA will be in a better\nposition to address the new and increasingly sophisticated threats facing the energy\nindustry. Also, TVA\xe2\x80\x99s realignment will better protect its employees and improve security at\nits power assets.\n\nIn addition to the mitigation plans for physical assaults, TVA has also created a Standard\nProgram and Process (SPP) entitled Physical Security Standards. The SPP addresses\nthe physical security standards needed to protect all TVA non-nuclear assets and people.\nThis SPP also establishes TVA\xe2\x80\x99s physical security standards program that is designed to:\n\n\xef\x82\xb7    Deter Threats \xe2\x80\x93 Establish a program for determining risk through security surveys,\n     needs assessments and risk, and vulnerability assessments.\n\xef\x82\xb7    Mitigate Vulnerabilities \xe2\x80\x93 Establish standards and provide management and oversight\n     for the selection, funding, implementation, and use of physical security counter\n     measures.\n\xef\x82\xb7    Minimize Negative Consequences \xe2\x80\x93 Prioritize, recommend, and approve all security\n     programs.\n\nThis procedure shall address the physical security standards needed for protection of TVA\nassets, including physical access to cyber assets.\n\nTVA has also identified a way to use tracking information that could possibly prevent\nreoccurring or future workplace-violence incidents by delivering training for specific\ntrending events. TVA personnel stated that TVA is moving toward security awareness\nand that the tracking information will translate into safety education. However, according\nto TVA personnel, the lack of reporting workplace-violence incidents is impacting the\naccuracy of information that reduces the likelihood of identifying trends. Other TVA\npersonnel stated that because of the different avenues employees have to report\nworkplace-violence incidents, not all of the information reaches the TVA Security and\nEmergency Management.\n\n\n\n\n5\n    In its continued effort to improve the quality of service provided to TVA, TVA Police and Physical Security\n    became TVA Security and Emergency Management in March, 2012.\n                                    TVA RESTRICTED INFORMATION\n\x0cDavid G. Jolley\n              y\nPag\n  ge 6\nDecember 13, 2012\n\n\n\n ECOMMEND\nRE      DATIONS\n\nWee recommend the Vice President,\n                           P         Seecurity and EEmergency M  Managemen   nt, create a\npro\n  ocedure for individuals who\n                           w receive workplace-v\n                                       w           violence inciddent reports detailing whhich\nworkplace-viole\n              ence inciden nts should be\n                                       e reported too TVA Security and Eme   ergency\nMaanagement along\n              a      with a uniform wayy of submittin\n                                                    ng that information.\n\nTVAA Managem   ment\xe2\x80\x99s Comments \xe2\x80\x93 In response to our recomm         mendation, TTVA stated\nmuultiple reporting options contribute\n                            c          to\n                                        o the confusioon of what, how, and wh   here to repoort\nworkplace-viole ence incidennts. To addrress these s hortcomingss Security an   nd Emergency\nMaanagement re  evised the Work\n                           W      Place Violence\n                                         V         SP P in late 201 12, which sta\n                                                                                ates all\nem\n mployees and   d contractors\n                            s are responnsible for nottifying their m\n                                                                    manager/sup pervisor\nwhenever they experience or observe violent, thre   eatening, or o  other disrupttive behavio\n                                                                                            ors in\nthe\n  e TVA workp  place. This does\n                            d     not ens\n                                        sure that repported incide ents reach eiither Securitty\nandd Emergency Management or Huma       an Resource  es for properr follow up aand tracking. To\nrem\n  medy this, Se ecurity and Emergency\n                            E            Managemen   nt is working g with Human Resourcess to\ndevvelop a Workplace Viole ence Incident Report Forrm. See the     e Appendix foor\nmaanagement\xe2\x80\x99s  s complete reesponse.\n\nAuditor\xe2\x80\x99s Response \xe2\x80\x93 The OIG concu\n                                 urs with plan\n                                             nned and co\n                                                       ompleted acttion.\n\n                                -       -       -       -       -\n\nPle\n  ease notify us within one\n                          e year from the date of thhis memoran   ndum when final action is\ncom\n  mplete. Infoormation conntained in this report mayy be subjectt to public dissclosure. Pllease\nadv           ny sensitive information in this reporrt that you re\n  vise us of an                                                  ecommend b  be withheld.\n\nIf you\n   y have any   y questions or\n                             o wish to discuss our o bservations,, please conntact Michae el L.\nLan ne, Auditor, at (423) 785\n                            5-4816 or Grreg Stinson, Director, Evvaluations, a\n                                                                             at (865) 633--\n736 67. We appreciate the courtesy\n                            c        andd cooperatio\n                                                   on received ffrom your sta aff during the\n                                                                                           e\nevaaluation.\n\n\n\n\nRobert E. Martin\nAss\n  sistant Inspe\n              ector Genera\n                         al\n (A\n  Audits and Evaluations)\n              E\nET 3C-K\n\nMLLL:FAJ\ncc: Peyton T. Hairston, Jrr., WT 7B-K\n    Joseph J. Hoagland, WTW 7C-K\n    Tom Kilgore, WT 7B-K K\n    Richard W.\n             W Moore, ET T 4C-K\n    Emily J. Reynolds,\n             R         OCCP 1L-NST\n    Robert B. Wells, WT 9B-K\n                         9\n    Andrea L. Williams, WT\n                        W 9B-K\n    OIG File No:\n             N 2012-145   506\n                               TVA REST\n                                      TRICTED INF\n                                                FORMATION\n\x0c                             APPENDIX\n                             Page 1 of 1\n\n\n\n\nTVA RESTRICTED INFORMATION\n\x0c'